Hi there -- I subscribed to this mailing list for the express purpose of replying to things that have been said on the subject of unsolicited bulk e-mail. Phil Lawlor of AGIS has suggested that a "Caller-ID" type of functionality be built into sendmail. Do I think that is a good idea? In a general sense, it probably is -- accountability is a Good Thing, and a mechanism such as he suggests will probably help situations where mailbombs, Denial of Service attacks, or harrassment have occurred and the perpetrator has to be found. Will it help reduce spam? Absolutely not. People will find ways to "block" the "caller ID", and not everyone uses sendmail as a mail server anyhow. Phil also mentioned that he spent a sizable sum of money on the IEMMC and it ended up going nowhere. That might possibly be because the IEMMC was run, apparently, by Walter Rines. Walter Rines is owner of Quantum Communications, a big spamhaus that was (until recently) hosted by AGIS. I question the wisdom of putting a spammer in charge of an organization that is supposed to reduce spam levels for people who don't want to be spammed. Would you put a convicted murderer in charge of a program designed to rehabilitate criminals? Probably not. Incidentally, Mr. Lawlor, if you really *are* participating in this discussion because you are interested in lowering the level of spam that gets dumped on the Net on a daily basis, I commend you for your change of heart. Those of us who frequent the news.admin.net-abuse newsgroups would be quite proud of you. -- NACS.NET ** Steve Sobol (sjsobol @ nacs.net) *** 216 619-2000, 1-888-273-NACS Tech Support, Programming, Postmaster, DNS dude, Real-Live Human Abuse Auto- Responder & Spam Fighter who is waiting for his Netscum Page. (Where is it, Boursy??) ** http://www.nacs.net ** Net Abuse Hotline: abuse @ nacs.net
Incidentally, Mr. Lawlor, if you really *are* participating in this discussion because you are interested in lowering the level of spam that gets dumped on the Net on a daily basis, I commend you for your change of heart. Those of us who frequent the news.admin.net-abuse newsgroups would be quite proud of you.
I have mixed feelings. I have had AGIS representatives (including Adam Hersh) tell me that I was forging the spam I received, since their spammers would never break the rules. When I said "Excuse me?" he watered it down to "well, most of the complaint mail we get is forged... it complains about spam that was never sent." I've had mailbombings from CyberPromo customers using my domain name to sneak past AOL's filters, generating thousands of bounces into my postmaster box. When I called AGIS's NOC to report it, an AGIS employee told me that after asking on five seperate occasions for copies of the spam, that he'd received none, and that AGIS was filtering most of their mail to discard anything that had the word 'spam' or 'US Code 47' and other such strings in it. I should call back in the morning when Adam could change the filters to let my mail through. I had AGIS employees tell me that the person who sent the above spam (whose name, it was pointed out to me was in the copies of the Cyberpromo password file posted to Usenet) was not a Cyberpromo customer when he had a working autoresponder at Cyberpromo. Seems despite me asking them repeatedly to try it, they never bothered. Instead, they called Sanford Wallace who told them "um, no, he's not mine!". And now, of course, I see AGIS is peering news with a site that has been spewing 16k posts a day into Usenet that refuses to stop. Following standard practice of alerting peers to a probable UDP is impossible considering that any such complaint to AGIS is no doubt (as has been confirmed by AGIS employees) auto-discarded. AGIS has a lot of sins in the past, and despite Mr Lawlor's posts here, I find they still have a long way to go before they can be considered a productive member of the Internet. Mr Lawlor's insistence on a technical solution to a people-problem is typical of the same old sidestepping he's been doing for months. I can positively identify spam coming from Sanford Wallace. Weee. So what does that do for stopping spam? Sandy will change to relaying through servers that don't digitally sign mail... and I either have to discard all mail from any source that isn't signed or get his spew. And then he'll change to using disposable dialups... wow, I can see 'jb12783@bellatlantic.net' is today's cyberpromo alias. It'll be digitally signed so I can be sure. Again, that offers me no benefit. What Mr Lawlor is arguing is that we should all have "white list mail" where we list the people whom we accept mail from and discard anything else. And that we should verify the identity of the sender against that white list. That is the world that he lives in, where the mail to anyone at AGIS is most likely discarded and complaints left unheard. It is NOT the sort of world I want to live in. Despite your recent predeliction for posting, Mr. Lawlor, I fear you have not changed. You are still arguing that I should have to protect myself from the thieves and vandals that you service and that you don't care if they abuse my services. It's a new wrapper on the same old AGIS song and dance and I'm not impressed.
I apologize in advance to the members of this list for answering this flame bait. I will refrain from doing this as much as possible. At 06:17 PM 10/29/97 -0800, Brian Moore wrote:
AGIS has a lot of sins in the past, and despite Mr Lawlor's posts here, I
find
they still have a long way to go before they can be considered a productive member of the Internet.
AGIS is a VERY productive member of the Internet today, and has been since before the NSF solicited a competive Internet backbone.
Mr Lawlor's insistence on a technical solution to a people-problem is typical of the same old sidestepping he's been doing for months.
I've never sidestepped the issue. AGIS does not like spam. It never did and it never will. We are seeking to solve the problem. The technical problem *is* that spamming is done all too easily. I am afraid that Congress could pass more unenforcable legislation, which would waste US taxpayers money. As long as people can make money off of spam, they will. If you can't clean up the spammer, than you have to start putting other measures in place.
I can positively identify spam coming from Sanford Wallace. Weee. So what does that do for stopping spam?
Then you can refuse it. You can take responsibility for yourself. You no longer need to send out all those complaints, burdening the system even greater. You have made my point for me. Thank you.
What Mr Lawlor is arguing is that we should all have "white list mail" where we list the people whom we accept mail from and discard anything else. And that we should verify the identity of the sender against that white list.
First of all, I am not arguing. Secondly, do not put words in my mouth. Thirdly, sendmail already has the capability to do just what you are talking about. I am mainly concerned with forgery and hijacking.
That is the world that he lives in, where the mail to anyone at AGIS is most likely discarded and complaints left unheard. It is NOT the sort of world I want to live in.
Absolutely a patented lie. I can prove it by sending you back the hundreds, if not thousands of complaints you have sent to my email address alone, never mind all the other email addresses at AGIS you have been abusing by sending to anyone at AGIS other than abuse@agis.net. This mailing list is for network operators. We are discussing operational issues, not political ones.
It's a new wrapper on the same old AGIS song and dance and I'm not impressed.
I'm *really* sorry I didn't impress you. Go back to your newsgroup. Again, to the rest of the list, I apologize, and I will try to refrain from engaging in this type of behavior on this list. Phil Lawlor President AGIS Voice - 313-730-1130 Fax - 313-563-6119
I apologize in advance to the members of this list for answering this flame bait. I will refrain from doing this as much as possible.
Not flame bait. Statement of opinion. You've stated yours, I can state mine.
AGIS is a VERY productive member of the Internet today, and has been since before the NSF solicited a competive Internet backbone.
Opinion.
Mr Lawlor's insistence on a technical solution to a people-problem is typical of the same old sidestepping he's been doing for months.
I've never sidestepped the issue. AGIS does not like spam. It never did and it never will. We are seeking to solve the problem. The technical problem *is* that spamming is done all too easily. I am afraid that Congress could pass more unenforcable legislation, which would waste US taxpayers money. As long as people can make money off of spam, they will. If you can't clean up the spammer, than you have to start putting other measures in place.
Hosting CyberPromo helped control spam in what way? Allowing and in fact encouraging them to spam through your network and host their autoresponders and web sites helped control spam how? Clean up their web sites. Refuse to host spammers in any way shape or form. Hosting the sites they run lets them make money and encourages them.
I can positively identify spam coming from Sanford Wallace. Weee. So what does that do for stopping spam?
Then you can refuse it. You can take responsibility for yourself. You no longer need to send out all those complaints, burdening the system even greater. You have made my point for me. Thank you.
I can by reading it. Are you going to pay me for the time to grep for the hundreds of domains that would signify cyberpromo? I don't believe I said I did the above by machine. You can take responsibility for the time I've had to spend constructing spam traps for our users, for ignoring the continued complaints of your customers violating the "IEMMC Rules" by forging addresses and not using the relay machine that was supposed to filter out addresses. You haven't addressed the stories Adam or Derek Mason at your NOC have told me.
What Mr Lawlor is arguing is that we should all have "white list mail" where we list the people whom we accept mail from and discard anything else. And that we should verify the identity of the sender against that white list.
First of all, I am not arguing. Secondly, do not put words in my mouth. Thirdly, sendmail already has the capability to do just what you are talking about. I am mainly concerned with forgery and hijacking.
You're not arguing? You're not setting forth a proposal and trying to back it up? Arguing a point does not mean putting up fists and yelling at the top of your lungs. That you believe it to be so is interesting, though. Sendmail has the ability to bounce all mail from AOL's mailer daemon to random addresses at my domain without interfering with real bounces? It has the ability to automatically update the list of known spam domains? It has the ability to update the list of spam netblocks? Which MC option is that? Your earlier comment about not knowing the capabilities of sendmail was more accurate. I've spent many hours tweaking my sendmail with databases of your IP blocks and the domain names your customers use, but they move to dialups to plug their services. As long as that web site, autoresponder or bulk mailer is on the net, they make money. "As long as people can make money off of spam", you say... well, deprive them of that ability by shutting down what they are advertising. This isn't rocket science. As long as the web site is there what stops them from spamming? What stops them from getting a disposable dialup and spamming from that? Hint: authenticated email doesn't unless you white-list mail.
That is the world that he lives in, where the mail to anyone at AGIS is most likely discarded and complaints left unheard. It is NOT the sort of world I want to live in.
Absolutely a patented lie. I can prove it by sending you back the hundreds, if not thousands of complaints you have sent to my email address alone, never mind all the other email addresses at AGIS you have been abusing by sending to anyone at AGIS other than abuse@agis.net.
Not a lie, Mr. Lawlor, a statement of fact. Mail requested by dmason@agis.net had to be sent five times to abuse@agis.net and his own personal address before I gave up.. Mysteriously he found one of them in the morning. Perhaps you don't /dev/null it all, just archive-and-ignore. You pull it out when asked, but never actually bother to read it. Certainly the MANY requests I made to have my domain get a domain opt-out were ignored, as despite requesting it a multitude of times, I still got mail for it, and it even passed through relay2.iemmc.org. I played your little web-page game, I mailed about violations and never got a response. I phoned while being mailbombed with 2500 bounces from AOL and was told it wasn't happening.
This mailing list is for network operators. We are discussing operational issues, not political ones.
That's very nice. I have a nice little network in 4 states. We're about to add peers at both the north and south ends and replace our basic star with a neat mesh. You're not discussing operational issues at all. You're proposing a secure mail standard. Go talk to the IETF about it and write the RFCs. Be prepared to get two reference versions of the software and spend years hoping people upgrade clients (look at the long history of IMAP to see how slow a process this is when an existing protocol is being superceded). Operational issues would be unplugging people who abuse the services of others.
It's a new wrapper on the same old AGIS song and dance and I'm not impressed.
I'm *really* sorry I didn't impress you. Go back to your newsgroup.
Actually, Mr. Lawlor, despite being active in nanae and other groups, I've been on this list for months. The list owner can certainly verify that if she wants. I just finally got fed up with your claims that having a digital signature on mail will somehow magically stop spam. It won't and you have yet to demonstrate how it will do such. Again, how does it help me to know that the disposable-spammer-account-of-the-day is some rented account at bellatlantic or netcom or whoever. I don't CARE what they authenticated as. The -only- way such information would be useful would be to construct white lists. Since you seem to think different, explain what use it would be.
Again, to the rest of the list, I apologize, and I will try to refrain from engaging in this type of behavior on this list.
Right.
On Wed, Oct 29, 1997 at 07:49:18PM -0800, Brian Moore wrote:
I can by reading it. Are you going to pay me for the time to grep for the hundreds of domains that would signify cyberpromo?
Honestly Mr. Moore, this is wholly unnecessary, as my daily cron could tell you; echo "Fetching cyberpromo SPAM filter file:" fetch ftp://ftp.cybernothing.org/pub/abuse/cyberpromo.domains Anyone got any marshmallows? I'm enjoying the flames but it just isn't the same without food. :) -- //Dan -=- This message brought to you by djhoward@uiuc.edu -=- \\/yori -=- Information - http://www.uiuc.edu/ph/www/djhoward/ -=- aiokomete -=- Our Honored Symbol deserves and Honorable Retirement
On Wed, 29 Oct 1997, Brian Moore wrote:
This isn't rocket science. As long as the web site is there what stops them from spamming? What stops them from getting a disposable dialup and spamming from that?
Hint: authenticated email doesn't unless you white-list mail.
If you can positively identify the individual, you can say you don't want to accept mail from that person, regardless of where the account is. If the system I described were in place, you could decide to accept mail based on criteria that the certifying authority places on those whose certificates it signed, and you would never have to know the individuals or their ISPs ahead of time. For example, you could say you only wanted to accept mail from either people you specifically wanted (your white list), or from any unknown people that were certified by having a notarized copy of their driver's license (or whatever), which would then allow you to specifically exclude particular people you didn't want to receive mail from. In an ideal world we wouldn't have to worry about this, we could just all be open and friendly and accept mail from whoever. However, it is no longer that way on the Internet and will never be again. I agree that implementing a scheme digitally signing mail is a vast undertaking that would never be entirely complete. However, I see no alternative in the long run. Your suggestion will always require a large amount of manual effort and you will always be playing catchup with the spammers. Using schemes such as Vixie's blacklist is difficult for an ISP as it presupposes what individual customers will want -- some of them certainly do not want to lose connectivity to a portion of the Internet, even if it means exposing them to spam. After all, we can all certainly be free of spam by simply unplugging the wire, but the cost is obviously too high. John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801
If you can positively identify the individual, you can say you don't want to accept mail from that person, regardless of where the account is. If the system I described were in place, you could decide to accept mail based on criteria that the certifying authority places on those whose certificates it signed, and you would never have to know the individuals or their ISPs ahead of time. For example, you could say you only wanted to accept mail from either people you specifically wanted (your white list), or from any unknown people that were certified by having a notarized copy of their driver's license (or whatever), which would then allow you to specifically exclude particular people you didn't want to receive mail from.
Okay, suppose I bought into this. CMC.NET is now stamping a PGP-signed X-Authenticated-User: line on mail. We'd have to distribute keys for us somehow. I guess the obvious solution is to add a resource type to DNS. Now, suppose you've never gotten mail from CMC.NET. How would you know just what our requirements for an account are? (For the record, we do require a personally signed contract and current state-issued ID or drivers license.) We'd have to have yet another signatory to stamp our record as meeting that qualification and they would have to verify it. Basically, we'd be moving to a 'virtual' white list, scattered about like DNS with various authorities overseeing the validity of records. Who would define those authorities. How would they be monitored? Who watches the Watchmen? I'll believe such a system will work when something like DNS is more reliable. Never mind the huge difficulty in getting a 'new improved' standard to be accepted. Heck, SMTP sucks in implementation quite often (as I write this, I'm being deluged with piles of mail from a broken Lotus Notes gateway, and odds are so are others posting to this list). It's highly difficult in the chaos that is the Internet to make new protocols work unless you're the first or damned lucky. Again, note how long it's taken IMAP to be noticed by vendors and how just now they're realizing it's a pretty nifty protocol. [List owner... please shoot the person on this gateway: Received: from merit.edu by uprr-internet.notes.up.com (PostalUnion/SMTP(tm) v2.1.9c for Windows NT(tm)) id AA-1997Oct29.204929.1155.1272450; Wed, 29 Oct 1997 20:49:29 -0500]
In an ideal world we wouldn't have to worry about this, we could just all be open and friendly and accept mail from whoever. However, it is no longer that way on the Internet and will never be again. I agree that implementing a scheme digitally signing mail is a vast undertaking that would never be entirely complete. However, I see no alternative in the long run. Your suggestion will always require a large amount of manual effort
What suggestion? Unplugging spammers is my suggestion. Do not harbor them, do not encourage them, do not sell to them. Cheap and easy. It has been Mr. Lawlor's suggestion in the past to just use tcp wrappers or sendmail rules to deny spammers, but then kept moving around netblocks and refusing to tell people where their spammers were. I've only done it because it was effective in stopping some of their spew. If you believe Mr. Lawlor, his own system hasn't been effective, since I've gotten "hundred or thousands" of pieces of spam despite it.
and you will always be playing catchup with the spammers. Using schemes such as Vixie's blacklist is difficult for an ISP as it presupposes what individual customers will want -- some of them certainly do not want to lose connectivity to a portion of the Internet, even if it means exposing them to spam. After all, we can all certainly be free of spam by simply unplugging the wire, but the cost is obviously too high.
Why is it too high? It's quite simple to deny service to those that can't be responsible. Doing so is quite effective. A couple examples: kiki9@ix.netcom.com was told to quite spamming "her" website ads or she'd lose her hosted site. She'd been spamming from disposable accounts for MONTHS. The spam has since stopped from her. Although Cyberpromo and Pals have been booted from AGIS, they could easily go get a 28.8k disposable account somewhere and continue their spew. But they haven't managed to do that and have been blissfully quiet. Why? No autoresponders. No web sites. Mr. Lawlor was right in one point: Spammers do it to make money. Take away their ability to make money and the problem ceases. It -is- something network operators of various sizes can and do daily, whether it is a dialup customer or a DS3 connected site. It has been done for YEARS going back to the days of people complaining about MUD and IRC traffic on the NSF backbone not being 'eductational'. This whole talk of digitally signed mail has nothing to do with NANOG (it is an IETF issue as I pointed out once) and will do nothing to stop spam unless one is willing to whitelist.
On Wed, 29 Oct 1997, Phil Lawlor wrote:
Mr Lawlor's insistence on a technical solution to a people-problem is typical of the same old sidestepping he's been doing for months.
I've never sidestepped the issue. AGIS does not like spam. It never did and it never will. We are seeking to solve the problem. The technical problem *is* that spamming is done all too easily. I am afraid that
You are correct, but from the outside, it looks as if agis has offered itself as a safe haven for spammers. Spammer's IPs are not SWIPed, traceroute doesn't work to them, and a long history of spamming is apparantly no obstacle to getting an agis circuit.
Congress could pass more unenforcable legislation, which would waste US taxpayers money. As long as people can make money off of spam, they will. If you can't clean up the spammer, than you have to start putting other measures in place.
In my opinion, that's 100% correct. But these other measures needn't be limited to measures you and agis are comfortable with. If you habitually provide connectivity to spammers, you are part of the problem. As a practical matter, you are going to get hammered by (at least) unpleasant email from people who are frustrated with the way spammers step on them. You facilitate that. Unfortunately if you lay down with pigs you get muddy. An occupational hazard.
does that do for stopping spam?
Then you can refuse it. You can take responsibility for yourself. You no
One can't refuse spam without using bandwidth. Is someone going to send me a check for the tens of thousands of spam emails my mail server rejected? I'll hold my breath.
longer need to send out all those complaints, burdening the system even greater. You have made my point for me. Thank you.
I think the more significant point was made when agis evicted cyberpromo. It did far more to reduce 'burdening the system' when it stopped all that CP spam traffic and the traffic associated with complaints about CP.
talking about. I am mainly concerned with forgery and hijacking.
How concerned are you? Are you concerned enough to disconnect people which use agis for webfarms, while doing their forging and hijacking from throw-away ppp accounts outside of agis? Too bad you aren't mainly concerned with delousing your network. Bill
[ On Wed, October 29, 1997 at 20:08:53 (-0500), Steve Sobol wrote: ]
Subject: SPAM, IEMMC, and Caller ID
Will it help reduce spam? Absolutely not. People will find ways to "block" the "caller ID", and not everyone uses sendmail as a mail server anyhow.
Oh, but it will, just so long as the system ensures that the "blocked caller ID" is clearly identified as such. Here in Bell Canada territory such calls arrive with "private" names and/or numbers so I just don't answer them. This technique, in combination with some system of recording the names/numbers of known telemarketers who don't block their caller ID and I don't ever have to answer one of their calls. The only problem was with the recent political campaigns where the parties had volunteers call from their own homes to canvas for votes. Indeed if it weren't for third-party relay spam I wouldn't receive any at all as I currently block all mail where I cannot verify the sender through the DNS and I filter all connections from known spammers. -- Greg A. Woods +1 416 443-1734 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
participants (7)
-
Bill Becker
-
Brian Moore
-
Dannyman
-
John A. Tamplin
-
Phil Lawlor
-
Steve Sobol
-
woods@most.weird.com